But the problem is dm_bp_transition method accepts not only dm_procedure object as argument, but any sysobject as well.

CS-44435: any user can execute Java code on behalf of the superuser

The problem was that in default setup Documentum has two folders inside ‘/System/Modules’ folder which are accessible for write by any user, these folders are:

/System/Modules/Validation/Java/dmc_JavaDocbasicSyncObject

/System/Modules/Validation/Java

That means any user is able to create own dmc_module object and execute arbitrary java code on JMS or application server. Let’s check what EMC did to fix this issue.
Previously some restrictions were applied by DFC to prevent creation of dmc_module objects by regular user:

but because only superuser is able to execute this method, it’s possible to exploit vulnerability only through another XSRF vulnerability or through job. But EMC have announced this vulnerability as fixed, so now I’m announcing it as not fixed – the fix has the same mistake as CS-44409: